1. Home
  2. Detection Strategies
  3. Detecting Steganographic Command and Control via File + Network Correlation

Detecting Steganographic Command and Control via File + Network Correlation

Technique Detected:  Steganography | T1001.002

ID: DET0235
Domains: Enterprise
Analytics: AN0651, AN0652, AN0653, AN0654
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0651

Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Network Traffic Content (DC0085) NSM:Flow Session Transfer Content
Mutable Elements
Field Description
FileExtensionFilter Allows tuning of monitored file types (e.g., .jpg, .png, .docx).
PayloadEntropyThreshold Threshold for flagging potential hidden data in outbound payloads.
ExecutionToExfilTimeWindow Time window between media creation and network transmission.

AN0652

Unusual use of steganographic or media processing binaries (e.g., steghide, ffmpeg, imagemagick) followed by outbound communication to external IPs with high data output and media MIME types.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow Captured File Content
File Metadata (DC0059) NSM:Flow Observed File Transfers
Mutable Elements
Field Description
ToolNameMatch Specify which binaries to monitor (e.g., steghide, outguess).
OutboundTrafficPattern Adjust based on known normal file upload services.

AN0653

Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unified File creation
Process Creation (DC0032) macos:osquery process_events
Network Traffic Content (DC0085) NSM:Flow C2 exfiltration
Mutable Elements
Field Description
ParentProcessBaseline Allow tuning based on expected apps calling image-editing tools.
TimeDelta Gap between file manipulation and outbound connection.

AN0654

Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.

Log Sources
Data Component Name Channel
File Metadata (DC0059) esxi:vmkernel Storage access and file ops
Network Connection Creation (DC0082) esxi:hostd Service initiated connections
Network Traffic Content (DC0085) NSM:Flow Transferred file observations
Mutable Elements
Field Description
FilenamePattern Tune for likely stego file names (e.g., wallpaper.jpg, template.iso).
UnusualDestinationIP Destination outside vCenter management subnet.